Controlling BGP Traffic

14 Mar

Controlling BGP Traffic
BGP updates can be controlled. It is often advantageous to limit the way that the BGP routing updates are propagated, for the same reasons that any routing protocol is best limited to only those updates that are required. This not only streamlines the traffic flow on the network, but also simplifies the network and thus its maintenance. Designing how the routing information should be forwarded through the network forms a basic level of security and can reduce the possibility of routing loops.

There are three main ways to apply policy-based routing in BGP:
■ Making decisions based on the autonomous system path, the community, or the prefix
■ Rejecting or accepting selected routes
■ Setting attributes to influence the path selection
Rejecting or accepting selected routes requires some form of filtering through access lists. Filtering is used not only in policy-based routing, but also essentially as traffic control. There are three main flavors of filtering on a Cisco router:

■ Autonomous system path access list —Used for filtering autonomous systems. An access list is used in BGP to filter updates sent from a peer based on the autonomous system path. In addition, other technologies use access lists for standard filtering.
■ Prefix list —Used for filtering prefixes, particularly in redistribution. From Cisco IOS software version 11.2, ISPs were given prefix lists, which are a more efficient form of filtering. Prefix lists filter based on the prefix of the address. This option was made a part of IOS software version 12.0.
■ Distribute lists —Used to filter routing updates. Although they are often used in redistribution, they are not specific to redistribution; they can be applied to inbound and outbound updates to or from any peer. Both prefix lists and distribute lists filter on network numbers, not autonomous system paths, for which autonomous system path access lists are used.
■ Route maps —Used to define routing policy. A route map is a sophisticated access list that defines criteria upon which a router acts when a match is found for the stated criteria. It is used in BGP for setting the attributes that determine the basis for selecting the best path to a destination.

Prefix lists are dealt with in more depth in the following sections. Route maps are dealt with in detail in Chapter 18, “Controlling Network Traffic with Route Maps and Policy-Based Routing,” and distribute lists are explained in Chapter 17, “Implementing Redistribution and Controlling Routing Updates.” Autonomous system path access lists are outside the scope of this book.

How Prefix Lists Work
Prefix lists were introduced in BGP because they are an efficient form of filtering. Because they search on the prefix of the address as defined by the administrator, the lookup is very fast. This is particularly important in the potentially huge routing tables that can be generated in BGP networks.

Another great advantage to prefix lists is the capability to edit them, particularly if they become large. Although it is possible to dynamically edit access lists, it is a little complicated. You must either port the access list to an application that allows editing or use named access lists.

Prefix lists are easier to create and use. This is true not only with the editing features, but also with the improved interface, which affords greater flexibility.

Before applying a prefix list to a process or an interface, you must first define the criteria for the prefix list. Each line in the prefix list is associated with a sequence number, similar to the number identifying a line of code in a computer program. If you choose not to enter the sequence number manually with the prefix-list command, the sequence numbers are automatically generated in increments of five. The sequence numbers that have not been used, for example, between 1 and 4, allow for additional lines to be added in subsequent edits of the prefix list. You can edit the prefix list by referencing the line or sequence number. This ability is not available in access lists, which require you to rewrite the entire list, unless you have the forethought to copy and paste the configuration file into a word processor.

Prefix lists work by matching the prefixes in the list to the prefixes of routes that are under scrutiny. The manner in which this is done is similar to that of access lists. When there is a match, the route is used or discarded.

More specifically, whether a prefix is permitted or denied is based upon the following rules:
■ If a route is permitted, the route is used.
■ If a route is denied, the route is not used.
■ At the bottom of every prefix list is an implicit deny any . Thus, if a given prefix does not match any entries of a prefix list, it is denied.
■ When multiple entries of a prefix list match a given prefix, the entry with the smallest sequence number (the first match in the list) is used.

■ The router begins the search at the top of the prefix list, with the sequence number 1. When a match is made, the search stops. Processing time will be reduced if the most common matches or denies are placed near the top of the list. This will prevent having to process criteria that are seldom met every time a route is examined.
■ Sequence numbers are automatically generated by default. To configure the sequence numbers manually, use the seq seq-value argument of the ip prefix-list command.
■ A sequence number does not need to be specified when removing a configuration entry.

How to Configure a BGP Prefix List
Configuring a prefix list is straightforward if attention is given to the processing rules.

The following command creates an entry in a prefix list and assigns a sequence number to the entry:

Router(config-router)#ip prefix-listt prefix-list-name [ seq seq-value ] {deny | permit}
network/len [ge ge-value] [le le-value]
Table 16-4 explains the parameters shown in the preceding syntax.
Table 16-4 Explanation of the ip prefix-list Command

To configure a router to use a prefix list as a filter in distributing routes, use the following command:
Router(config-router)#neighbor { ip address | peer-group} prefix–list prefix-list-name
{in | out}
An example of a simple prefix list follows:

The prefix list “tryout” will allow the networks and the supernet to be further processed by BGP.

Sometimes it is necessary to create a criteria range as opposed to an absolute. For example, you could change “all 2-year-old children are allowed into the playground” to “children between the ages of 2 and 4 are allowed into the playground.” This grants greater flexibility to the searches. The way to do this in a prefix list is to use the ge and le parameters.

These optional keywords allow a range of the prefix length to be specified, as opposed to the network/len, which is the absolute. Therefore, is an example of the network/len, which states the prefix to be matched and the length of the prefix. The equations are confusing until you sit and work them out. The following are some key points:

■ ge is used if the prefix is greater than or equal to the value stated in the list.
■ le is used if the prefix is less than or equal to the value stated in the list.

Simply put, the ge-value is the barrier for the lower limit, in that the number must be greater than the value stated in for the ge-value. Likewise, the le-value is the barrier for the upper limit, in that the number must be less than that stated in the le-value. So, children entering the playground must be older than 2 (ge-value of 2) and younger than 4 (le-value of 4). Therefore, the formula requires the following condition:

len < ge-value < or = le-value < or = 32
For example, to permit all prefixes between /8 and /24, you would use the following:
Router(config)#ip prefix-list tryone permit ge 8 le 24

NOTE An exact match is assumed when neither ge nor le is specified. The range is assumed to be from ge-value to 32 if only the ge attribute is specified, and from len to le-value if only the le attribute is specified.

Verifying the Prefix List Configuration
As always, it is important to check the configuration, especially if it involves the filtering of routes or routing updates. Table 16-5 lists the various show commands available for prefix lists.

To display information about a prefix list or prefix list entries, use the show ip prefix-list exec command:

Router#show ip prefix-list [detail||summary] name [ network/len] [seq seq-num]
[longer] [first-match]

Table 16-5 Displaying Prefix List Command Options

The show commands always include the sequence numbers in their output.
Example 16-4 shows the output of the show ip prefix-list command with details about the prefix list “tryout.”
Example 16-4 A Sample Output of the show ip prefix-list Command

As you have seen, filtering routes is crucial in the design of BGP in order to maintain manageable routing tables and to conserve network resources. Up to this point, the discussion has centered on the use of BGP within and between autonomous systems. When connecting to the Internet, you need to consider slightly different design issues, as discussed in the next section.

Connecting to the Internet with BGP
As an exterior routing protocol, BGP is used to connect to the Internet and to route traffic within the Internet. You need to be aware of some design considerations when connecting to such an enormous resource. Just like driving a car during rush hour, you need different skills depending on whether you are joining a freeway or driving through a small town. When connecting to the Internet, your network is joining a major freeway that connects large cities, so you must ensure that the amount of
traffic and information does not overwhelm your network.

The following sections deal with two important design considerations: the need for redundant links into the Internet, called multihoming, and the need to decide how much information to receive from the Internet.

Redundant Connections to the Internet—Multihoming
An enormous amount of traffic leaves an organization in search of Internet resources. This traffic includes not only e-mail and other means of communication, but also requests for information from the Internet.

Use of the Internet continues to expand as both an individual tool and a major mechanism of finance and commerce. It becomes increasingly necessary for the network administrator to provide constant access to the Internet with load balancing and redundancy with multihoming.

To have more than one connection to the Internet is to be multihomed. The reason for duplicating the connection is clear: The need for Internet access nowadays is too great for the responsibility to fall onto one link. Multiple links not only provide redundancy, but also allow for load balancing and thus present an improvement in performance.

Multihoming might be several connections to the same ISP, or it might include another layer of redundancy by making the second connection to another ISP. The following are some concerns about connecting to more than one ISP:

■ Each provider might not be propagating the same routes into or from the Internet. If the providers are sending subsets of the required routes, there could be a major problem with connectivity if the link to one of the providers fails.
■ If you are connected to two different providers, your autonomous system could become a transit autonomous system between the ISPs. This could happen if a router in the autonomous system of one provider sees a path to a destination via the other provider’s autonomous system, and your autonomous system gives the best route to the autonomous system of the other provider.

Configuration at the ISP level is the solution to these concerns and is dealt with when setting up the service. Therefore, it is important that you raise the need for multihoming during negotiations with the ISP so that the ISP is aware of the need for additional configuration.

Receiving Routing Information from the Internet
When connecting to something as vast as the Internet, some planning and forethought is necessary. In particular, it is essential to decide what updates are to be sent to the outside world and how routers within the autonomous system are to know about the outside world and all that it offers.

There are three main approaches to the selection of routes from the Internet:
■ Accept only default routes from all providers
■ Accept partial routes in addition to default routes from all providers
■ Accept full routing updates from all providers
The decision process is clear: It is a balance of network resources against information. The greater the amount of resources, the more routes can be accepted from the providers.

Table 16-6 summarizes the different approaches to obtaining routing information from the Internet.
Table 16-6 Receiving Routing Updates from Multiple ISPs

Figure 16-7 illustrates the various options available in exchanging routing information with the Internet.

Figure 16-7 Exchanging Routing Information with the Internet

NOTE The second solution, accepting partial routes from the ISP, requires the updates sent into the autonomous system to be filtered, either by your autonomous system or by the ISP. If the responsibility falls to your organization, you will need to study the use of route maps and regular expressions. This is a complex subject, which is explained in detail on the Cisco web site. As of press time for this book, the best information on this subject could be found at _http:// /459/27.html. Or, go to and search for “sample configurations for BGP.”

No comments yet

Leave a Reply

You must be logged in to post a comment.